XML Flooding
Contents
Attack description
XML Flooding aims at exhausting the resources of a web service by sending a large number of legitimate SOAP Messages. This attack can be compared to the classical denial of service attack on web servers by flooding them with a large amount of valid HTTP requests until the server is unable to respond.
The attack is also known under the name XML Flood.
Attack subtypes
One can distinguish between 2 attack subtypes:
- Single XML Flooding
In this scenario all requests originate from one attacker. This attack can be defended easily. - Distributed XML Flooding
In this scenario many different web service clients make requests at the same time. Usually these clients are controlled by the attacker. Defending against this attack is still not possible.
Prerequisites for attack
In order for this attack to work the attack has to have knowledge about the following things:
- Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
- Attacker can reach endpoint from its location. Access to the attacked web service is required. If the web service is only available to users within a certain network of a company, this attack is limited.
Graphical representation of attack
In this attack there is no component in the web service architecture that is specifically attacked.
The web service server is attacked as a whole.
Attack example
The Figure 1 shows an example of Single XML Flooding where one attacker sends as many request as possible to the attacked web service.
Figure 2: Single XML Flooding example
Figure 3 shows an Distributed XML Flooding attack where various intermediary clients, controlled by an attacker, send requests to the victim.
Figure 3: Distributed XML Flooding example
Attack mitigation / countermeasures
When talking about countermeasures you have to distinguish between the 2 subtypes.
- Single XML Flooding can be defended easily by limiting the number of requests per IP address in a given time frame. The maximum number of requests per IP address per time frame is dependent on the type of deployed web service and the type of hardware the application is running on. When running a web service giving out the local temperature, one request per minute per IP address should be sufficient.
- Distributed XML Flooding can't be defended today. Even though certain approaches exist to fight this attack it's not possible to prevent the attack from happening. An simple solution used by big companies today is to use servers with a sufficient overcapacity. Attacks up to a certain size can then be handled successfully. Another approach that can handle attacks up to a certain size is the use of cloud computing. When under attack the web service just allocates more server resources to keep running.
Attack categorisation
Categorisation by violated security objective
The attack aims at exhausting the system resources, therefore it violates the security objective Availability.
- Category:Attack_Categorisation_By_Violated_Security_Objective_Availability
- Category:Attack_Categorisation_By_Violated_Security_Objective
Categorisation by number of involved parties
The "Single XML Flooding" attack is categorised as follows:
- Category:Attack_Categorisation_By_Number_Of_Involved_Parties:1_-_0_-_1
- Category:Attack_Categorisation_By_Number_Of_Involved_Parties
The "Distributed XML Flooding" attack is categorised as follows:
- Category:Attack_Categorisation_By_Number_Of_Involved_Parties:1_-_2+_-_1
- Category:Attack_Categorisation_By_Number_Of_Involved_Parties
Categorisation by attacked component in web service architecture
- Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_Web_Service_Server
- Category:Attack_Categorisation_By_Attacked_Web_Service_Component
Categorisation by attack spreading
- Category:Attack_Categorisation_By_Attack_Spreading
- Category:Attack_Categorisation_By_Attack_Spreading:Application_Specific_Flaws
References
- Alex Stamos. Attacking web services. http://www.owasp.org/index.php/File:AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt, October 2005. Slides OWASP AppSec DC 2005, Accessed 01 July 2010.
- Leroy Metin Yaylacioglu. Business value einer web service firewall. Master’s thesis, Hochschule für Angewandte Wissenschaften Hamburg, 2008.
- Attack Categorisation By Violated Security Objective Availability
- Attack Categorisation By Violated Security Objective
- Attack Categorisation By Number Of Involved Parties:1 - 0 - 1
- Attack Categorisation By Number Of Involved Parties
- Attack Categorisation By Number Of Involved Parties:1 - 2+ - 1
- Attack Categorisation By Attacked Web Service Component: Web Service Server
- Attack Categorisation By Attacked Web Service Component
- Attack Categorisation By Attack Spreading
- Attack Categorisation By Attack Spreading:Application Specific Flaws